Notes

This is a well-known design deficiency in pyyaml, various CVE IDs have been assignedto applications misusing the API over the years. The CVE ID was assigned to raiseawareness (and 4.1 now fixes the default behaviour as well)https://github.com/yaml/pyyaml/pull/74